Identity theft has become more prevalent in
recent years; about 10 million incidents occur
each year.1 IT professionals must understand
the need for personally identifiable information
(PII) discovery to protect themselves and their
company from the civil, legal and financial
liabilities caused by data loss. As documents
migrate to digital form from hard copy, sensitive
personal information gets stored in a variety of
places digitally. National and international laws
are in place requiring companies to search for
confidential data to ensure compliance. Some
US examples include the Family Educational
Rights and Privacy Act (FERPA) and the Health
Insurance Portability and Accountability Act
(HIPAA). At the state level in the US, New
York State’s Disposal of Personal Records Law
(2006) requires businesses to “properly dispose
of records containing personal information,”
implying that this information must be unreadable
and unrecoverable. International privacy laws,
many of which are more stringent than those in
the US, require similar activity.2
To comply with these laws, security
professionals use a variety of sensitive
information discovery tools to find and remove
readily available information stored on end-point
devices. While current PII discovery tools can
find information that is readily available, they are
not capable of discovering information that has
been encrypted, obfuscated, hidden, deleted or is
otherwise unrecoverable. It is critical to note that
the content and metadata of deleted files can be
easily recovered using standard forensics tools.
This paper will introduce computer forensics
techniques to reveal sensitive data that are likely
to be missed by PII tools, including data in RAM
memory, graphics files, registry information or
files marked as deleted.